WoSign has since stopped doing website control validation entirely. However, that does not decrease the seriousness of the bug/feature. It also raises the question of how such a feature could make it through review, testing and QA.
==Issue O: Intermediates with Duplicate Serial Numbers (May - July 2015)==
WoSign has issued two pairs of intermediates with the same issuer duplicate serial numbers - [https://crt.sh/?serial=44807b207cf2052e8d3411770266d295&iCAID=1450 one pair] with a notBefore in May 2015, and [https://crt.sh/?serial=3adec402270bf4ee9e892cc65e0ada21&iCAID=1450 one pair] with a notBefore in July 2015. All four certificates were issued by WoSign's "CA 沃通根证书" root. This is a violation of RFC 5280.
One of each pair has CRL and OCSP URLs with domains such as cr.wscrl.cn, oc.wsocsp.cn and ai.wscrl.cn. These domains no longer exist. The other one of each pair has CRL and OCSP URLs at subdomains of wosign.cn; these subdomains do exist, and point to the Akamai CDN. In the case of one of the pairs, the first cert was logged in the 'pilot' CT log about a month before the second one. One possibility is that WoSign was planning to adopt one strategy for CRL and OCSP hosting, and then changed strategy, which necessitated re-issuing the intermediates with new URLs. If that is the case, it raises the question of why the notBefore date for both certificates is the same.
Given that intermediates are issued manually rather than in an automated fashion, and should normally be surrounded by strong controls, reusing a serial number for two intermediates is disappointing.
Thanks to Kurt Roeckx and Rob Stradling for their help with this issue.
===WoSign Response===
This issue has not yet been formally brought to WoSign's attention.
===Further Comments and Conclusion===
N/A.
==Issue P: Use of SM2 Algorithm (Nov 2015)==